example.config

访问基于802.1x认证方式的网络

## This is an example file for the future configuration format
## for xsupplicant. The file has two parts. The first part, called the
## "global" section contains meta information controlling how xsupplicant
## behaves. This section also affects how the second half of the file
## is parsed. The second part is the "network" section and contains
## information about the actual networks being serviced. ALL configuration
## files must have BOTH a globals section and a network section defined.

## As should be clear by now, this is a comment

### GLOBAL SECTION

# network_list: defines all of the networks in this file which 
#      should be kept in memory and used.Comma delimited list or "all"
#      for keeping all defined configurations in memory. For efficiency,
#      keep only the networks you might roam to in memory.
#      To avoid errors, make sure your default network is always
#      in the network_list.

network_list = all
#network_list = default, test1, test2

# default_netname: some users may actually have a network named "default".
#      since "default" is a keyword in the network section below, you can
#      change which is to be used as the replacement for this keyword

default_netname = default
#default_netname = my_defaults

# startup_command: the command to run when ...
startup_command = <BEGIN_COMMAND>echo "some command"<END_COMMAND>

# first_auth_command: the command to run when ...
first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND>

# reauth_command: the command to run when...
reauth_command = <BEGIN_COMMAND>echo "authenticated user %i"<END_COMMAND>

logfile = /var/log/xsup_logfile

auth_period = 10

held_period = 10

max_starts = 2

allow_interfaces = eth0, wlan0

deny_interfaces = eth1

###  NETWORK SECTION



# the general format of the network section is a network name followed
# by a group of variables 

# network names may contain the following characters: a-z, A-Z, 0-9, '-', 
# '_', '\', '/'
# Those interested in having an SSID with ANY character in it can use
# the ssid tag within the network clause. Otherwise, your ssid will
# be the name of the network.

## The default network is not a network itself. These values are 
## the default used for any network parameters not overridden 
## in another section. If it's not in your network configuration
## and not in your default, it won't work!!

default  
{ 
  # type: the type of this network. wired or wireless
  type = wireless

  # allow_types:  describes which types this network will allow
  # allow_types = eap_tls, eap_md5, eap_gtc, eap-otp
  allow_types = all

  # Should we control the wireless card?  (Set/Reset WEP keys, etc.)
#  wireless_control = no

  ## TBD: prefer_types: what to put in a Nak
  
  # identity:  what to respond with when presented with an EAP Id Request
  #   Typically, this is the username for this network. Since this can
  #   be an arbitrary string, enclose within <BEGIN_ID> and <END_ID>
  identity = <BEGIN_ID>myid@mynet.net<END_ID>

  dest_mac = 00:aA:bB:cC:dD:eE

  ## method-specific parameters are kept in the method 
  eap_tls {
     user_cert = /path/to/certificate
     user_key  = /path/to/private/key
     user_key_pass = <BEGIN_PASS>password for key<END_PASS>
     root_cert = /path/to/list/of/valid/roots
     crl_dir = /path/to/dir/with/crl
     session_resume = yes
     chunk_size = 1398
     random_file = /path/to/random/source
  }

  eap-md5 {
      username = <BEGIN_UNAME>testuser<END_UNAME>
      password = <BEGIN_PASS>testuserpass!<END_PASS>
  }

  eap-ttls {
      user_cert = /path/to/certificate
      #as in tls, define either a root certificate or a directory
      # containing root certificates
      #root_cert = /path/to/root/certificate
      root_dir = /path/to/root/certificate/dir
      crl_dir = /path/to/dir/with/crl
      session_resume = no
      user_key  = /path/to/private/key
      user_key_pass = <BEGIN_PASS>password for key<END_PASS>
      chunk_size = 1398
      random_file = /path/to/random/source      
      cncheck = myradius.test.org
      cnexact = yes
      # phase2_type defines which phase2 to actually DO. You
      #  MUST define one of these.
      phase2_type = chap
      ## These are definitions for the different methods you might
      ## do at phase2. only the one specified above will be used
      ## but it is valid to leave more than one here for convenience
      ## and easy switching.
      pap {
        username = <BEGIN_UNAME>papuser<END_UNAME>
        password = <BEGIN_PASS>pappasswd<END_PASS>
      }
      chap {
        username = <BEGIN_UNAME>chapuser<END_UNAME>
        password = <BEGIN_PASS>chappasswd<END_PASS>
      }
      mschap {
        username = <BEGIN_UNAME>mschapuser<END_UNAME>
        password = <BEGIN_PASS>mschappasswd<END_PASS>
      }
      mschapv2 {
        username = <BEGIN_UNAME>mschapv2user<END_UNAME>
        password = <BEGIN_PASS>mschapv2passwd<END_PASS>
      }
  }
 
  eap-leap {
      username = <BEGIN_UNAME>leapuser<END_UNAME>
      password = <BEGIN_PASS>leapuserpass!<END_PASS>
  }
  
  eap-mschapv2 {
      username = <BEGIN_UNAME>eapmschapv2user<END_UNAME>
      password = <BEGIN_PASS>eapmschapv2userpass!<END_PASS>
  }

  eap-peap {
      identity = <BEGIN_ID>phase2-identity-PEAP<END_ID>
      user_cert = /path/to/certificate
      root_dir = /path/to/root/certificate/dir
      crl_dir = /path/to/dir/with/crl
      user_key  = /path/to/private/key
      user_key_pass = <BEGIN_PASS>password for key<END_PASS>
      chunk_size = 1398
      cncheck = myradius.subdomain.mynet.com
      cnexact = no
      random_file = /path/to/random/source      

      #Currently 'all' is just mschapv2 
      #If no allow_types is defined, all is assumed
      allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
      #allow_types = eap_mschapv2

      # right now you can do any of these methods in PEAP:
      eap-mschapv2 {
        username = <BEGIN_UNAME>phase2mschapv2<END_UNAME>
        password = <BEGIN_PASS>phase2mschapv2pass<END_PASS>
      }
      eap-md5 {
        username = <BEGIN_UNAME>phase2md5<END_UNAME>
        password = <BEGIN_PASS>phase2md5pass<END_PASS>
      }
      eap-sim {
        username = <BEGIN_UNAME>phase2simuser<END_UNAME>
        password = <BEGIN_PASS>phase2simuserpass!<END_PASS>     
         auto_realm = yes
      }
  }

  eap-sim {
      username = <BEGIN_UNAME>simuser<END_UNAME>
      password = <BEGIN_PASS>simuserpass!<END_PASS>     
      auto_realm = yes
  }
}

test1
{
  type = wired
  # ssid: you should not define this unless you have characters
  #   other than those specified above in the ssid of your network
  ssid = <BEGIN_SSID>mvemjsnp<END_SSID>

  allow_types = all
  identity = <BEGIN_ID>Check this out- any char!#$<END_ID>
  wireless_control = no

}


test2.my.network
{
  # ssid: you should not define this unless you have characters
  #   other than those specified above in the ssid of your network
  ssid = <BEGIN_SSID>up to 32 character ASCII string<END_SSID>
  identity = <BEGIN_ID>testuser@testnet.com<END_ID>

  allow_types = eap-tls
  type = wireless
  wireless_control = yes
}

test3
{
  # ssid: you should not define this unless you have characters
  #   other than those specified above in the ssid of your network
  ssid = <BEGIN_SSID>foo-network!<END_SSID>

  type = wired

  identity= <BEGIN_ID>this will work too<END_ID>
}